Documentation

v0.5.0

Everything to install fya, scan your app, and wire it into CI.

!
fya performs active security testing. Only scan systems you own or are explicitly authorized in writing to test. Any non-local target requires --i-am-authorized.

Installation

fya needs Python 3.9 or newer. The core install pulls only requests and rich.

pip install fya
pip install "fya[apk]"       # Android APK manifest analysis
pip install "fya[browser]"   # headless-browser crawler for SPAs

From a clone, with the test tooling:

git clone https://github.com/ayam04/fya
cd fya
pip install -e ".[dev]"

What's new

v0.5.0

16 new attack techniques and a codebase-wide bug sweep

  • New web checks: client-side JS secret exposure, exposed source maps, dumpable .git/.svn/.hg/.bzr repos, exposed config and credential files, directory listing, and advanced CORS bypasses (null origin, prefix/suffix match bugs).
  • New injection and SSRF checks: signature-based SSRF (cloud metadata and file://), MongoDB-style NoSQL injection, and XPath/LDAP/SSI injection.
  • New header checks: unkeyed forwarded-header cache poisoning, X-Original-URL/X-Rewrite-URL access-control bypass, missing COOP/CORP/Permissions-Policy, and cookie prefix and scope misuse.
  • New GraphQL hardening check: field-suggestion leakage, query batching, and GET/CSRF execution.
  • New mobile and source checks: insecure WebView JavaScript bridge, unverified App Links, weak custom-permission guards, and dangerous GitHub Actions workflow patterns (pwn-request and script injection).
  • Fixed 15 bugs found by an adversarial audit, including a CLI crash on malformed ports, false-positive sensitive-file detection, missed form-target and CDN-versioned library discovery, and two external-tool integrations (nikto, testssl) that silently never fired.
v0.4.0

Black, gray, and white-box test strategies

  • New black-box mode: input fuzzing and robustness. Malformed, oversized, wrong-type, unicode, null-byte, and format-string payloads that surface crashes and leaked stack traces.
  • New gray-box mode: IDOR detection and auth-bypass probing of protected routes.
  • New white-box mode: point fya at a source directory. Scans for hardcoded secrets and risky sinks (eval, exec, shell=True, pickle, disabled TLS verification), and folds in semgrep or bandit when installed.
  • Reports now group findings by test strategy, in the console, HTML, and Markdown.
  • Load, stress, and network-chaos testing are deliberately excluded. They are denial-of-service shaped. Use k6, Locust, or Toxiproxy for those.

Quickstart

Point fya at a local server or an APK. Localhost needs no authorization flag.

fya scan http://127.0.0.1:8000
fya scan ./app-release.apk

fya scan http://127.0.0.1:8000 -o report.html   # shareable report
fya scan http://127.0.0.1:8000 --fail-on high    # exit non-zero in CI
fya tools                                         # list detectable external tools

Try it against the bundled deliberately-vulnerable app in the repo:

python examples/vulnerable_app.py            # starts on http://127.0.0.1:5001
fya scan http://127.0.0.1:5001 --mode full -o report.html

The Claude skill

Prefer to stay in Claude? fya ships as a skill that makes Claude run the same non-destructive scan itself, with no package to install. It confirms you own the target, runs the checks, and reports in the chat.

Install it by copying one folder into your Claude skills directory:

git clone https://github.com/ayam04/fya
cp -r fya/skills/fya ~/.claude/skills/fya

On Windows the destination is %USERPROFILE%\.claude\skills\fya. Then just ask Claude:

scan http://localhost:3000 for vulnerabilities
check ./app-release.apk for security issues

Claude confirms the target and authorization, picks a mode and profile, runs the OWASP-mapped checks, and applies the same false-positive discipline as the CLI. It is fully agentic: it drives the probes with its own tools, so it works even where the package is not installed.

Targets

fya detects the target automatically. A path ending in .apk (or any zip containing an AndroidManifest) is analyzed statically. A local directory is treated as source and analyzed white-box. Anything else is a web target; a bare host defaults to http for localhost and private addresses and https otherwise.

fya scan http://127.0.0.1:8000    # web target
fya scan ./app-release.apk        # android package
fya scan ./my-service             # source directory, white-box

Scan modes

A mode selects which family of checks runs. Pick one with --mode, refine with --only and --skip, or choose from a menu with --interactive. List them with fya modes.

ModeWhat it runs
autoEverything that applies to the detected target. The default.
reconPassive, read-only reconnaissance.
webWeb app: headers, TLS, active web checks, and API.
apiAPI surface plus supporting web checks.
mobileAndroid APK static analysis.
blackboxNo internals: input fuzzing and robustness plus outside-in web checks.
grayboxPartial knowledge: IDOR, auth bypass, and API contract probing.
whiteboxSource access: static analysis of a code directory.
fullEverything, aggressive, including external tool handoff.
!
Load, stress, and network-chaos testing are deliberately out of scope. They are denial-of-service shaped and break the non-destructive guarantee. Use k6, Locust, or Toxiproxy for those, on infrastructure you own.

Profiles

A profile sets how hard fya probes, independent of the mode. Request pacing adapts automatically and slows down on errors, timeouts, and slow responses. fya never floods a target or runs denial-of-service payloads.

ProfileBehavior
passiveRead-only. Headers, TLS, cookies, disclosure, fingerprinting.
safeNon-destructive active probes. Reflection, error signatures, CORS. The default.
aggressiveHeavier probing and external-tool handoff. Still non-destructive.

Authentication and scope

Scan behind a login, and keep the scan inside a boundary with scope and budget controls.

# authenticated
fya scan https://staging.example.com --i-am-authorized \
  -H "Authorization: Bearer $TOKEN"
fya scan http://127.0.0.1:8000 --cookie "session=abc123"

# scope and budget
fya scan http://127.0.0.1:8000 --include '/app' --exclude '/logout'
fya scan http://127.0.0.1:8000 --max-requests 500

# render JS and single-page apps (needs the [browser] extra)
fya scan http://127.0.0.1:8000 --spa

Baseline and CI

Record the findings you have accepted, then fail the build only on new ones.

fya scan http://127.0.0.1:8000 --write-baseline .fya-baseline.json
fya scan http://127.0.0.1:8000 --baseline .fya-baseline.json --fail-on high

Reports

Format is inferred from the -o extension, or set it with --format. Use --fail-on to return a non-zero exit code.

FormatUse it for
consoleThe default. A colored summary table in your terminal.
jsonMachine-readable output for pipelines and dashboards.
sarifUpload to GitHub code scanning. Includes fingerprints for de-duplication.
markdownDrop into issues, wikis, or pull requests.
htmlA self-contained, shareable page.

Checks catalog

58 checks across thirteen areas, each mapped to the OWASP Top 10 or MASVS and a CWE. Every check runs only at or above its minimum profile.

Web passive

min profile: passive
web.security_headersweb.version_disclosureweb.insecure_cookies

Web active

min profile: safe
web.reflected_xssweb.sql_injectionweb.open_redirectweb.path_traversalweb.cors_misconfigweb.cors_advancedweb.dangerous_methodsweb.sensitive_files

Web advanced

min profile: safe / aggressive
web.sstiweb.csrfweb.host_headerweb.crlfweb.cache_poison_headersweb.url_override_headers

Web secrets & files

min profile: safe
web.js_secretsweb.source_map_exposureweb.vcs_exposureweb.exposed_config_secretsweb.directory_listing

Web SSRF & injection

min profile: safe
web.ssrfweb.nosql_injectionweb.xpath_ldap_ssi_injection

Web hardening

min profile: passive
web.csp_weaknessesweb.jwt_weak_algorithmweb.jwt_missing_expiryweb.jwt_sensitive_claimsweb.frontend_librariesweb.modern_headersweb.cookie_scopeweb.security_txtweb.robots_sensitive_paths

Black box

min profile: safe
blackbox.input_fuzzing

Gray box

min profile: safe
graybox.idorgraybox.auth_bypass

White box (source)

min profile: passive / safe
whitebox.hardcoded_secretswhitebox.dangerous_patternswhitebox.cicd_misconfigwhitebox.static_analysis

TLS

min profile: passive
tls.certificatetls.weak_protocoltls.https_upgrade

API

min profile: safe
api.docs_exposureapi.graphql_introspectionapi.graphql_hardeningapi.verbose_errorsapi.admin_endpoints

APK static

min profile: passive
apk.hardcoded_secretsapk.cleartext_urlsapk.manifestapk.webview_config

Integrations

min profile: aggressive
integrations.nucleiintegrations.niktointegrations.nmapintegrations.sqlmapintegrations.tls

External tools

If any of these are on your PATH, fya runs them and folds their results into one normalized report. If not, it falls back to built-in checks. Check what is detected with fya tools.

nuclei nikto sqlmap nmap testssl.sh sslyze jadx apkleaks

Docker

The image bundles nmap, so external-tool handoff works out of the box.

docker build -t fya .
docker run --rm --network host fya scan http://127.0.0.1:8000

Responsible use

fya performs active security testing. Only scan systems you own or are explicitly authorized in writing to test. Scanning a non-local target requires --i-am-authorized. Scans are non-destructive by default, with no flooding and no denial-of-service payloads. You are responsible for how you use this tool.

Licensing

fya is dual-licensed. It is free for noncommercial and personal use under the PolyForm Noncommercial License 1.0.0, which covers hobby projects, research, education, personal study, and nonprofit or government use.

Commercial use requires a paid license — using fya in, or for, a for-profit company's products, services, or internal operations. To obtain one, contact ayamullahkhan04@gmail.com. Versions before 0.5.0 were released under the MIT License and remain available under those terms.